This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

tkent@: It looks like your CL might have caused a security regression. Can you PTAL?
https://chromium.googlesource.com/chromium/src/+/7b451a789df9be84623fc114a4efe00f5e9dbb5e

 Issue 726017  has been merged into this issue.

 Issue 726019  has been merged into this issue.

 Issue 726073  has been merged into this issue.

Users experienced this crash on the following builds:

Win Canary 60.0.3110.0 -  7.47 CPM, 63 reports, 56 clients (signature blink::NodeListsNodeData::AddCache<blink::ClassCollection>)
Win Canary 60.0.3110.0 -  1.19 CPM, 10 reports, 9 clients (signature blink::NodeListsNodeData::AddCache<blink::HTMLAllCollection>)
Win Canary 60.0.3110.0 -  1.07 CPM, 9 reports, 8 clients (signature blink::NodeListsNodeData::AddCache<blink::HTMLCollection>)
Mac Canary 60.0.3110.0 -  7.62 CPM, 20 reports, 15 clients (signature blink::ClassCollection* blink::NodeListsNodeData::AddCache<blink::ClassCollection>)
Mac Canary 60.0.3110.0 -  1.52 CPM, 4 reports, 4 clients (signature blink::HTMLTagCollection* blink::NodeListsNodeData::AddCache<blink::HTMLTagCollection>)
Mac Canary 60.0.3110.0 -  1.52 CPM, 4 reports, 4 clients (signature blink::HTMLCollection* blink::NodeListsNodeData::AddCache<blink::HTMLCollection>)

If this update was incorrect, please add "Fracas-Wrong" label to prevent future updates.

- Go/Fracas

This crash has high impact on Chrome's stability.
Signature: blink::NodeListsNodeData::AddCache<blink::ClassCollection>.
Channel: canary. Platform: win.
Labeling  issue 725929  with ReleaseBlock-Dev.


If this update was incorrect, please add "Fracas-Wrong" label to prevent future updates.

- Go/Fracas

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/9cf04000e65705ebced49e4bc7e04ae0d2c7d895

commit 9cf04000e65705ebced49e4bc7e04ae0d2c7d895
Author: Kent Tamura <tkent@chromium.org>
Date: Fri May 26 01:42:40 2017

Fix a crash when getElementsByClassName() is called twice with the same argument including capital letters.

This fixes a regression by crrev.com/474217, which deleted a protector AtomicString
accidentally. This CL removes a tricky StringImpl* hash key in NodeListsNodeData.

BUG= 725929 
R=yosin@chromium.org

Review-Url: https://codereview.chromium.org/2903373002 .
Cr-Commit-Position: refs/heads/master@{#474870}

[modify] https://crrev.com/9cf04000e65705ebced49e4bc7e04ae0d2c7d895/third_party/WebKit/Source/core/dom/ElementTest.cpp
[modify] https://crrev.com/9cf04000e65705ebced49e4bc7e04ae0d2c7d895/third_party/WebKit/Source/core/dom/NodeListsNodeData.h

ClusterFuzz has detected this issue as fixed in range 474860:474872.

Detailed report: https://clusterfuzz.com/testcase?key=5557301422587904

Fuzzer: inferno_webbot
Job Type: linux_msan_chrome
Platform Id: linux

Crash Type: Use-of-uninitialized-value
Crash Address: 
Crash State:
  std::__1::pair<WTF::KeyValuePair<std::__1::pair<unsigned char, WTF::StringImpl*>
  blink::ClassCollection* blink::NodeListsNodeData::AddCache<blink::ClassCollectio
  blink::ContainerNode::getElementsByClassName
  
Sanitizer: memory (MSAN)

Recommended Security Severity: Medium

Regressed: https://clusterfuzz.com/revisions?job=linux_msan_chrome&range=474215:474224
Fixed: https://clusterfuzz.com/revisions?job=linux_msan_chrome&range=474860:474872

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5557301422587904


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Issue 726569 has been merged into this issue.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot